<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="UTF-8">
    <title>Kubescape Scan Report</title>
  </head>
  <style>
  :root {
    --cell-padding-vertical: 0.25em;
    --cell-padding-horizontal: 0.25em;
    --font-family-sans: system-ui, -apple-system, sans-serif;
  }
  body {
    max-width: 60em;
    margin: auto;
    font-family: var(--font-family-sans);
  }
  table {
    width: 100%;
    border-top: 0.1em solid black;
    border-bottom: 0.1em solid black;
    border-collapse: collapse;
    table-layout: fixed;
  }
  th {
    text-align: left;
  }
  td, th {
    padding-top: var(--cell-padding-vertical);
    padding-bottom: var(--cell-padding-vertical);
    padding-right: var(--cell-padding-horizontal);
    vertical-align: top;
  }
  td > p {
    margin: 0;
    word-break: break-all;
    hyphens: auto;
  }
  thead {
    border-bottom: 0.01em solid black;
  }
  .numericCell {
    text-align: right;
  }
  .controlSeverityCell {
    width: 10%;
  }
  .controlNameCell {
    width: 50%;
  }
  .controlRiskCell {
    width: 10%;
  }
  .resourceSeverityCell {
    width: 10%;
  }
  .resourceNameCell {
    width: 30%;
  }
  .resourceURLCell {
    width: 10%;
  }
  .resourceRemediationCell {
    width: 50%;
  }
  .logo {
    width: 25%;
    float: right;
  }
  </style>
  <body>
    <img class="logo" src="https://raw.githubusercontent.com/kubescape/kubescape/master/core/pkg/resultshandling/printer/v2/pdf/logo.png">
    <h1>Kubescape Scan Report</h1>
    
    <h2>By Controls</h2>
    <h3>Summary</h3>
    <table>
      <thead>
        <tr>
          <th>All</th>
          <th>Failed</th>
          <th>Excluded</th>
          <th>Skipped</th>
        </tr>
      </thead>
      <tbody>
        <tr>
          <td>55</td>
          <td>31</td>
          <td>0</td>
          <td>0</td>
        </tr>
      </tbody>
    </table>
    <h3>Details</h3>
    <table>
      <thead>
      <tr>
        <th class="controlSeverityCell">Severity</th>
        <th class="controlNameCell">Control Name</th>
        <th class="controlRiskCell">Failed Resources</th>
        <th class="controlRiskCell">Excluded Resources</th>
        <th class="controlRiskCell">All Resources</th>
        <th class="controlRiskCell">Risk Score, %</th>
      </tr>
      </thead>
      <tbody>
      
      
        <tr>
          <td class="controlSeverityCell">Critical</td>
          <td class="controlNameCell">API server insecure port is enabled</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Critical</td>
          <td class="controlNameCell">CVE-2022-39328-grafana-auth-bypass</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Critical</td>
          <td class="controlNameCell">Disable anonymous access to Kubelet service</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Critical</td>
          <td class="controlNameCell">Enforce Kubelet client TLS authentication</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">Applications credentials in configuration files</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">36</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.1.13 Ensure that the admin.conf file permissions are set to 600</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.1.14 Ensure that the admin.conf file ownership is set to root:root</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.1 Ensure that the API Server --anonymous-auth argument is set to false</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.16 Ensure that the API Server --secure-port argument is not set to 0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.18 Ensure that the API Server --audit-log-path argument is set</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.2 Ensure that the API Server --token-auth-file parameter is not set</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.25 Ensure that the API Server --etcd-certfile and --etcd-keyfile arguments are set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.26 Ensure that the API Server --tls-cert-file and --tls-private-key-file arguments are set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.27 Ensure that the API Server --client-ca-file argument is set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.28 Ensure that the API Server --etcd-cafile argument is set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.29 Ensure that the API Server --encryption-provider-config argument is set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.30 Ensure that encryption providers are appropriately configured</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.4 Ensure that the API Server --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.5 Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.6 Ensure that the API Server --authorization-mode argument is not set to AlwaysAllow</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.2.8 Ensure that the API Server --authorization-mode argument includes RBAC</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-1.3.5 Ensure that the Controller Manager --root-ca-file argument is set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-2.2 Ensure that the --client-cert-auth argument is set to true</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-2.5 Ensure that the --peer-client-cert-auth argument is set to true</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-2.7 Ensure that a unique Certificate Authority is used for etcd</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-4.1.8 Ensure that the client certificate authorities file ownership is set to root:root</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-4.2.1 Ensure that the --anonymous-auth argument is set to false</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-5.1.1 Ensure that the cluster-admin role is only used where required</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">5</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-5.1.3 Minimize wildcard use in Roles and ClusterRoles</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-5.2.11 Minimize the admission of Windows HostProcess Containers</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-5.2.2 Minimize the admission of privileged containers</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">100</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CVE-2022-23648-containerd-fs-escape</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">CVE-2022-47633-kyverno-signature-bypass</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">Forbidden Container Registries</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">Host PID/IPC privileges</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">14</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">HostNetwork access</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">14</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">HostPath mount</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">Insecure capabilities</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">Instance Metadata API</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">List Kubernetes secrets</td>
          <td class="controlRiskCell numericCell">4</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">57</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">Privileged container</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">RBAC enabled</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">Resource limits</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">100</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">Resources CPU limit and request</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">100</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">Resources memory limit and request</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">100</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">Workloads with Critical vulnerabilities exposed to external traffic</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">Workloads with RCE vulnerabilities exposed to external traffic</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">High</td>
          <td class="controlNameCell">Writable hostPath mount</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Access container service account</td>
          <td class="controlRiskCell numericCell">8</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">8</td>
          <td class="controlRiskCell numericCell">100</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Allow privilege escalation</td>
          <td class="controlRiskCell numericCell">6</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">86</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Audit logs enabled</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Automatic mapping of service account</td>
          <td class="controlRiskCell numericCell">14</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">15</td>
          <td class="controlRiskCell numericCell">93</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.1.10 Ensure that the Container Network Interface file ownership is set to root:root</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.1.16 Ensure that the scheduler.conf file ownership is set to root:root</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.1.2 Ensure that the API server pod specification file ownership is set to root:root</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.1.8 Ensure that the etcd pod specification file ownership is set to root:root</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.2.11 Ensure that the admission control plugin AlwaysPullImages is set</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.2.15 Ensure that the admission control plugin NodeRestriction is set</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.2.19 Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.2.20 Ensure that the API Server --audit-log-maxbackup argument is set to 10 or as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.2.21 Ensure that the API Server --audit-log-maxsize argument is set to 100 or as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.2.22 Ensure that the API Server --request-timeout argument is set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.2.23 Ensure that the API Server --service-account-lookup argument is set to true</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.2.24 Ensure that the API Server --service-account-key-file argument is set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.2.3 Ensure that the API Server --DenyServiceExternalIPs is not set</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.2.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.2.7 Ensure that the API Server --authorization-mode argument includes Node</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.2.9 Ensure that the admission control plugin EventRateLimit is set</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.3.1 Ensure that the Controller Manager --terminated-pod-gc-threshold argument is set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.3.3 Ensure that the Controller Manager --use-service-account-credentials argument is set to true</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.3.4 Ensure that the Controller Manager --service-account-private-key-file argument is set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.3.6 Ensure that the Controller Manager RotateKubeletServerCertificate argument is set to true</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.3.7 Ensure that the Controller Manager --bind-address argument is set to 127.0.0.1</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-1.4.2 Ensure that the Scheduler --bind-address argument is set to 127.0.0.1</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-2.3 Ensure that the --auto-tls argument is not set to true</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-2.6 Ensure that the --peer-auto-tls argument is not set to true</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-3.2.1 Ensure that a minimal audit policy is created</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-3.2.2 Ensure that the audit policy covers key security concerns</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-4.1.2 Ensure that the kubelet service file ownership is set to root:root</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-4.2.11 Ensure that the --rotate-certificates argument is not set to false</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-4.2.3 Ensure that the --client-ca-file argument is set as appropriate</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-4.2.4 Verify that the --read-only-port argument is set to 0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.1.2 Minimize access to secrets</td>
          <td class="controlRiskCell numericCell">4</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">57</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.1.4 Minimize access to create pods</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.1.5 Ensure that default service accounts are not actively used</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="controlRiskCell numericCell">14</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">15</td>
          <td class="controlRiskCell numericCell">93</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.2.1 Ensure that the cluster has at least one active policy control mechanism in place</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.2.10 Minimize the admission of containers with capabilities assigned</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.2.12 Minimize the admission of HostPath volumes</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.2.13 Minimize the admission of containers which use HostPorts</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.2.3 Minimize the admission of containers wishing to share the host process ID namespace</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.2.4 Minimize the admission of containers wishing to share the host IPC namespace</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.2.5 Minimize the admission of containers wishing to share the host network namespace</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.2.6 Minimize the admission of containers with allowPrivilegeEscalation</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.2.7 Minimize the admission of root containers</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.2.8 Minimize the admission of containers with the NET_RAW capability</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.2.9 Minimize the admission of containers with added capabilities</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.3.1 Ensure that the CNI in use supports Network Policies</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.3.2 Ensure that all Namespaces have Network Policies defined</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.4.1 Prefer using secrets as files over secrets as environment variables</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">14</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.4.2 Consider external secret storage</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.7.1 Create administrative boundaries between resources using namespaces</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">100</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="controlRiskCell numericCell">56</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">61</td>
          <td class="controlRiskCell numericCell">92</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CVE-2021-25741 - Using symlink for arbitrary host file system access.</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CVE-2022-0185-linux-kernel-container-escape</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CVE-2022-0492-cgroups-container-escape</td>
          <td class="controlRiskCell numericCell">6</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">86</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CVE-2022-24348-argocddirtraversal</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Cluster internal networking</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Cluster-admin binding</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Configured liveness probe</td>
          <td class="controlRiskCell numericCell">5</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">71</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Container hostPort</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Containers mounting Docker socket</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">CoreDNS poisoning</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">14</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Data Destruction</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">14</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Delete Kubernetes events</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Exec into container</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Exposed sensitive interfaces</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Images from allowed registry</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">100</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Ingress and Egress blocked</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">100</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Linux hardening</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">100</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Malicious admission controller (mutating)</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">100</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Mount service principal</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">No impersonation</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Non-root containers</td>
          <td class="controlRiskCell numericCell">6</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">86</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Portforwarding privileges</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Secret/ETCD encryption enabled</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Sudo in container entrypoint</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Medium</td>
          <td class="controlNameCell">Workloads with excessive amount of vulnerabilities</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">Access Kubernetes dashboard</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">14</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">CIS-1.2.13 Ensure that the admission control plugin ServiceAccount is set</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">CIS-1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">CIS-1.2.17 Ensure that the API Server --profiling argument is set to false</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">CIS-1.3.2 Ensure that the Controller Manager --profiling argument is set to false</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">CIS-1.4.1 Ensure that the Scheduler --profiling argument is set to false</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">CIS-4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">CIS-4.2.6 Ensure that the --protect-kernel-defaults argument is set to true</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">CIS-4.2.7 Ensure that the --make-iptables-util-chains argument is set to true</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">CIS-4.2.8 Ensure that the --hostname-override argument is not set</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">CIS-4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">CVE-2022-3172-aggregated-API-server-redirect</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">Configured readiness probe</td>
          <td class="controlRiskCell numericCell">5</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">71</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">Image pull policy on latest tag</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">Immutable container filesystem</td>
          <td class="controlRiskCell numericCell">6</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">86</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">K8s common labels usage</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">14</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">Kubernetes CronJob</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">Label usage for resources</td>
          <td class="controlRiskCell numericCell">3</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">43</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">Malicious admission controller (validating)</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">100</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">Naked PODs</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">100</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">Network mapping</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">PSP enabled</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">Pods in default namespace</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">7</td>
          <td class="controlRiskCell numericCell">100</td>
        </tr>
      </tr>
      
        <tr>
          <td class="controlSeverityCell">Low</td>
          <td class="controlNameCell">SSH server running inside container</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">0</td>
          <td class="controlRiskCell numericCell">1</td>
          <td class="controlRiskCell numericCell">0</td>
        </tr>
      </tr>
      
      <tbody>
    </table>
    
    <h2>By Resource</h2>
    
    
    <h3>Name: release-name-kube-promethe-admission</h3>
      <p>ApiVersion: admissionregistration.k8s.io/v1</p>
      <p>Kind: MutatingWebhookConfiguration</p>
      <p>Name: release-name-kube-promethe-admission</p>
      <p>Namespace: </p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Malicious admission controller (mutating)</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0039">C-0039</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-admission</h3>
      <p>ApiVersion: admissionregistration.k8s.io/v1</p>
      <p>Kind: ValidatingWebhookConfiguration</p>
      <p>Name: release-name-kube-promethe-admission</p>
      <p>Namespace: </p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Malicious admission controller (validating)</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0036">C-0036</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-alertmanager</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-kube-promethe-alertmanager</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Automatic mapping of service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-admission</h3>
      <p>ApiVersion: </p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-kube-promethe-admission</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">List Kubernetes secrets</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0015">C-0015</a></td>
          <td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p>  <p>relatedObjects[1].rules[0].verbs[0]</p>  <p>relatedObjects[1].rules[0].apiGroups[0]</p>  <p>relatedObjects[0].subjects[0]</p>  <p>relatedObjects[0].roleRef.name</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.2 Minimize access to secrets</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0186">C-0186</a></td>
          <td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p>  <p>relatedObjects[1].rules[0].verbs[0]</p>  <p>relatedObjects[1].rules[0].apiGroups[0]</p>  <p>relatedObjects[0].subjects[0]</p>  <p>relatedObjects[0].roleRef.name</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Access container service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0053">C-0053</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: alertmanager-release-name-kube-promethe-alertmanager</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: Secret</p>
      <p>Name: alertmanager-release-name-kube-promethe-alertmanager</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-grafana</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: Secret</p>
      <p>Name: release-name-grafana</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-kubelet</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-kubelet</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-operator</h3>
      <p>ApiVersion: </p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-kube-promethe-operator</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">List Kubernetes secrets</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0015">C-0015</a></td>
          <td class="resourceRemediationCell"> <p>relatedObjects[1].rules[2].resources[1]</p>  <p>relatedObjects[1].rules[2].verbs[0]</p>  <p>relatedObjects[1].rules[2].apiGroups[0]</p>  <p>relatedObjects[0].subjects[0]</p>  <p>relatedObjects[0].roleRef.name</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Data Destruction</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0007">C-0007</a></td>
          <td class="resourceRemediationCell"> <p>relatedObjects[1].rules[1].resources[0]</p>  <p>relatedObjects[1].rules[1].verbs[0]</p>  <p>relatedObjects[1].rules[1].apiGroups[0]</p>  <p>relatedObjects[0].subjects[0]</p>  <p>relatedObjects[0].roleRef.name</p>  <p>relatedObjects[1].rules[2].resources[1]</p>  <p>relatedObjects[1].rules[2].verbs[0]</p>  <p>relatedObjects[1].rules[2].apiGroups[0]</p>  <p>relatedObjects[0].subjects[0]</p>  <p>relatedObjects[0].roleRef.name</p>  <p>relatedObjects[1].rules[3].resources[0]</p>  <p>relatedObjects[1].rules[3].verbs[1]</p>  <p>relatedObjects[1].rules[3].apiGroups[0]</p>  <p>relatedObjects[0].subjects[0]</p>  <p>relatedObjects[0].roleRef.name</p>  <p>relatedObjects[1].rules[4].resources[0]</p>  <p>relatedObjects[1].rules[4].verbs[3]</p>  <p>relatedObjects[1].rules[4].apiGroups[0]</p>  <p>relatedObjects[0].subjects[0]</p>  <p>relatedObjects[0].roleRef.name</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.2 Minimize access to secrets</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0186">C-0186</a></td>
          <td class="resourceRemediationCell"> <p>relatedObjects[1].rules[2].resources[1]</p>  <p>relatedObjects[1].rules[2].verbs[0]</p>  <p>relatedObjects[1].rules[2].apiGroups[0]</p>  <p>relatedObjects[0].subjects[0]</p>  <p>relatedObjects[0].roleRef.name</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CoreDNS poisoning</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0037">C-0037</a></td>
          <td class="resourceRemediationCell"> <p>relatedObjects[1].rules[2].resources[0]</p>  <p>relatedObjects[1].rules[2].verbs[0]</p>  <p>relatedObjects[1].rules[2].apiGroups[0]</p>  <p>relatedObjects[0].subjects[0]</p>  <p>relatedObjects[0].roleRef.name</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Access container service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0053">C-0053</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-prometheus</h3>
      <p>ApiVersion: </p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-kube-promethe-prometheus</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Access container service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0053">C-0053</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-prometheus</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-prometheus</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-statefulset</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-statefulset</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-namespace-by-pod</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-namespace-by-pod</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-node-rsrc-use</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-node-rsrc-use</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-k8s-coredns</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-k8s-coredns</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-admission</h3>
      <p>ApiVersion: rbac.authorization.k8s.io/v1</p>
      <p>Kind: RoleBinding</p>
      <p>Name: release-name-kube-promethe-admission</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-admission</h3>
      <p>ApiVersion: rbac.authorization.k8s.io/v1</p>
      <p>Kind: Role</p>
      <p>Name: release-name-kube-promethe-admission</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-prometheus</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: Service</p>
      <p>Name: release-name-kube-promethe-prometheus</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-k8s-resources-namespace</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-k8s-resources-namespace</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-proxy</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-proxy</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-admission-patch</h3>
      <p>ApiVersion: batch/v1</p>
      <p>Kind: Job</p>
      <p>Name: release-name-kube-promethe-admission-patch</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Images from allowed registry</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resources CPU limit and request</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Pods in default namespace</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0061">C-0061</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resource limits</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Allow privilege escalation</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Configured liveness probe</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p>  <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p>  <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p>  <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Non-root containers</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resources memory limit and request</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Automatic mapping of service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Configured readiness probe</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Immutable container filesystem</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Ingress and Egress blocked</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Linux hardening</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-grafana</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-grafana</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-persistentvolumesusage</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-persistentvolumesusage</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-apiserver</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-apiserver</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-grafana-datasource</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-grafana-datasource</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-state-metrics</h3>
      <p>ApiVersion: </p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-kube-state-metrics</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">List Kubernetes secrets</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0015">C-0015</a></td>
          <td class="resourceRemediationCell"> <p>relatedObjects[1].rules[21].resources[0]</p>  <p>relatedObjects[1].rules[21].verbs[0]</p>  <p>relatedObjects[1].rules[21].verbs[1]</p>  <p>relatedObjects[1].rules[21].apiGroups[0]</p>  <p>relatedObjects[0].subjects[0]</p>  <p>relatedObjects[0].roleRef.name</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.2 Minimize access to secrets</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0186">C-0186</a></td>
          <td class="resourceRemediationCell"> <p>relatedObjects[1].rules[21].resources[0]</p>  <p>relatedObjects[1].rules[21].verbs[0]</p>  <p>relatedObjects[1].rules[21].verbs[1]</p>  <p>relatedObjects[1].rules[21].apiGroups[0]</p>  <p>relatedObjects[0].subjects[0]</p>  <p>relatedObjects[0].roleRef.name</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Access container service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0053">C-0053</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-k8s-resources-workload</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-k8s-resources-workload</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-operator</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: Service</p>
      <p>Name: release-name-kube-promethe-operator</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-k8s-resources-cluster</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-k8s-resources-cluster</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-k8s-resources-node</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-k8s-resources-node</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-k8s-resources-workloads-namespace</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-k8s-resources-workloads-namespace</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-grafana</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: Service</p>
      <p>Name: release-name-grafana</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-prometheus-node-exporter</h3>
      <p>ApiVersion: apps/v1</p>
      <p>Kind: DaemonSet</p>
      <p>Name: release-name-prometheus-node-exporter</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Images from allowed registry</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resources CPU limit and request</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Pods in default namespace</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0061">C-0061</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resource limits</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Allow privilege escalation</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p>  <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p>  <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p>  <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Non-root containers</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">HostNetwork access</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0041">C-0041</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.hostNetwork</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resources memory limit and request</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">K8s common labels usage</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
          <td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p>  <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Immutable container filesystem</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Host PID/IPC privileges</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0038">C-0038</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.hostPID</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Ingress and Egress blocked</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Linux hardening</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-k8s-resources-pod</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-k8s-resources-pod</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-grafana-config-dashboards</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-grafana-config-dashboards</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-grafana-test</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-grafana-test</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Automatic mapping of service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-prometheus-node-exporter</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: Service</p>
      <p>Name: release-name-prometheus-node-exporter</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-workload-total</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-workload-total</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-grafana-test</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-grafana-test</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-state-metrics</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: Service</p>
      <p>Name: release-name-kube-state-metrics</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-state-metrics</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-kube-state-metrics</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Automatic mapping of service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-alertmanager</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: Service</p>
      <p>Name: release-name-kube-promethe-alertmanager</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-state-metrics</h3>
      <p>ApiVersion: apps/v1</p>
      <p>Kind: Deployment</p>
      <p>Name: release-name-kube-state-metrics</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Images from allowed registry</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resources CPU limit and request</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Pods in default namespace</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0061">C-0061</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resource limits</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Label usage for resources</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
          <td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p>  <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Allow privilege escalation</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p>  <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p>  <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p>  <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Non-root containers</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resources memory limit and request</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Automatic mapping of service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Immutable container filesystem</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Ingress and Egress blocked</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Linux hardening</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-grafana-test</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: Pod</p>
      <p>Name: release-name-grafana-test</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Images from allowed registry</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
          <td class="resourceRemediationCell"> <p>spec.containers[0].image</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
          <td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resources CPU limit and request</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
          <td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Pods in default namespace</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0061">C-0061</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resource limits</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
          <td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Label usage for resources</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
          <td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Allow privilege escalation</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
          <td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Configured liveness probe</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
          <td class="resourceRemediationCell"> <p>spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Naked PODs</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0073">C-0073</a></td>
          <td class="resourceRemediationCell"> <p>metadata.ownerReferences=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
          <td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p>  <p>spec.containers[0].securityContext.runAsNonRoot=true</p>  <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p>  <p>spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p>  <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Non-root containers</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
          <td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.runAsNonRoot=true</p>  <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resources memory limit and request</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
          <td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.memory=YOUR_VALUE</p>  <p>spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Automatic mapping of service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
          <td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
          <td class="resourceRemediationCell"> <p>spec.securityContext.runAsNonRoot=true</p>  <p>spec.securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
          <td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Configured readiness probe</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
          <td class="resourceRemediationCell"> <p>spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Immutable container filesystem</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
          <td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Ingress and Egress blocked</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Linux hardening</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
          <td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p>  <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-operator</h3>
      <p>ApiVersion: apps/v1</p>
      <p>Kind: Deployment</p>
      <p>Name: release-name-kube-promethe-operator</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Images from allowed registry</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resources CPU limit and request</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Pods in default namespace</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0061">C-0061</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resource limits</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Configured liveness probe</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p>  <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resources memory limit and request</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Automatic mapping of service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Configured readiness probe</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Ingress and Egress blocked</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Linux hardening</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-grafana</h3>
      <p>ApiVersion: </p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-grafana</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">List Kubernetes secrets</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0015">C-0015</a></td>
          <td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[1]</p>  <p>relatedObjects[1].rules[0].verbs[0]</p>  <p>relatedObjects[1].rules[0].verbs[1]</p>  <p>relatedObjects[1].rules[0].verbs[2]</p>  <p>relatedObjects[1].rules[0].apiGroups[0]</p>  <p>relatedObjects[0].subjects[0]</p>  <p>relatedObjects[0].roleRef.name</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.2 Minimize access to secrets</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0186">C-0186</a></td>
          <td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[1]</p>  <p>relatedObjects[1].rules[0].verbs[0]</p>  <p>relatedObjects[1].rules[0].verbs[1]</p>  <p>relatedObjects[1].rules[0].verbs[2]</p>  <p>relatedObjects[1].rules[0].apiGroups[0]</p>  <p>relatedObjects[0].subjects[0]</p>  <p>relatedObjects[0].roleRef.name</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Access container service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0053">C-0053</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-grafana</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-grafana</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Automatic mapping of service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-namespace-by-workload</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-namespace-by-workload</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-admission</h3>
      <p>ApiVersion: </p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-kube-promethe-admission</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Access container service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0053">C-0053</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-grafana</h3>
      <p>ApiVersion: </p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-grafana</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Access container service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0053">C-0053</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-alertmanager-overview</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-alertmanager-overview</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-etcd</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-etcd</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-scheduler</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-scheduler</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-prometheus-node-exporter</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-prometheus-node-exporter</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Automatic mapping of service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-grafana</h3>
      <p>ApiVersion: rbac.authorization.k8s.io/v1</p>
      <p>Kind: RoleBinding</p>
      <p>Name: release-name-grafana</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-admission</h3>
      <p>ApiVersion: </p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-kube-promethe-admission</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Access container service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0053">C-0053</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-pod-total</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-pod-total</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-grafana</h3>
      <p>ApiVersion: apps/v1</p>
      <p>Kind: Deployment</p>
      <p>Name: release-name-grafana</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Images from allowed registry</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[2].image</p>  <p>spec.template.spec.containers[0].image</p>  <p>spec.template.spec.containers[1].image</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p>  <p>spec.template.spec.containers[1].securityContext.seccompProfile.type=RuntimeDefault</p>  <p>spec.template.spec.containers[2].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resources CPU limit and request</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[2].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[2].resources.requests.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[1].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[1].resources.requests.cpu=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Pods in default namespace</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0061">C-0061</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.4.1 Prefer using secrets as files over secrets as environment variables</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0207">C-0207</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[1].env[4].name</p>  <p>spec.template.spec.containers[1].env[5].name</p>  <p>spec.template.spec.containers[2].env[0].name</p>  <p>spec.template.spec.containers[2].env[1].name</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resource limits</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[2].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[2].resources.limits.memory=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p>  <p>spec.template.spec.containers[1].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[1].resources.limits.memory=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Label usage for resources</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
          <td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p>  <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Allow privilege escalation</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[2].securityContext.allowPrivilegeEscalation=false</p>  <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p>  <p>spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Configured liveness probe</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p>  <p>spec.template.spec.containers[1].livenessProbe=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[2].securityContext.readOnlyRootFilesystem=true</p>  <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p>  <p>spec.template.spec.containers[1].securityContext.readOnlyRootFilesystem=true</p>  <p>spec.template.spec.containers[2].securityContext.allowPrivilegeEscalation=false</p>  <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p>  <p>spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation=false</p>  <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p>  <p>spec.template.spec.containers[1].securityContext.capabilities.drop[0]=NET_RAW</p>  <p>spec.template.spec.containers[2].securityContext.capabilities.drop[0]=NET_RAW</p>  <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[1].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[2].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p>  <p>spec.template.spec.containers[1].securityContext.seccompProfile=YOUR_VALUE</p>  <p>spec.template.spec.containers[2].securityContext.seccompProfile=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Non-root containers</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[2].securityContext.allowPrivilegeEscalation=false</p>  <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p>  <p>spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resources memory limit and request</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[2].resources.limits.memory=YOUR_VALUE</p>  <p>spec.template.spec.containers[2].resources.requests.memory=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p>  <p>spec.template.spec.containers[1].resources.limits.memory=YOUR_VALUE</p>  <p>spec.template.spec.containers[1].resources.requests.memory=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Automatic mapping of service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Configured readiness probe</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p>  <p>spec.template.spec.containers[1].readinessProbe=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Immutable container filesystem</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[2].securityContext.readOnlyRootFilesystem=true</p>  <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p>  <p>spec.template.spec.containers[1].securityContext.readOnlyRootFilesystem=true</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Ingress and Egress blocked</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Linux hardening</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p>  <p>spec.template.spec.containers[1].securityContext.seccompProfile=YOUR_VALUE</p>  <p>spec.template.spec.containers[1].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[1].securityContext.capabilities.drop[0]=YOUR_VALUE</p>  <p>spec.template.spec.containers[2].securityContext.seccompProfile=YOUR_VALUE</p>  <p>spec.template.spec.containers[2].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[2].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-prometheus</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-kube-promethe-prometheus</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Automatic mapping of service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-grafana</h3>
      <p>ApiVersion: rbac.authorization.k8s.io/v1</p>
      <p>Kind: Role</p>
      <p>Name: release-name-grafana</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-node-cluster-rsrc-use</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-node-cluster-rsrc-use</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-controller-manager</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-controller-manager</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-cluster-total</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-cluster-total</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-admission-create</h3>
      <p>ApiVersion: batch/v1</p>
      <p>Kind: Job</p>
      <p>Name: release-name-kube-promethe-admission-create</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Images from allowed registry</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resources CPU limit and request</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Pods in default namespace</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0061">C-0061</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resource limits</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Allow privilege escalation</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Configured liveness probe</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p>  <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p>  <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p>  <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Non-root containers</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">High</td>
          <td class="resourceNameCell">Resources memory limit and request</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Automatic mapping of service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.securityContext.allowPrivilegeEscalation=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Configured readiness probe</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Low</td>
          <td class="resourceNameCell">Immutable container filesystem</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Ingress and Egress blocked</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
          <td class="resourceRemediationCell"></td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Linux hardening</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
          <td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p>  <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-operator</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-kube-promethe-operator</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Automatic mapping of service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-nodes</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ConfigMap</p>
      <p>Name: release-name-kube-promethe-nodes</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
    <h3>Name: release-name-kube-promethe-admission</h3>
      <p>ApiVersion: v1</p>
      <p>Kind: ServiceAccount</p>
      <p>Name: release-name-kube-promethe-admission</p>
      <p>Namespace: default</p>
      <table>
        <thead>
        <tr>
          <th class="resourceSeverityCell">Severity</th>
          <th class="resourceNameCell">Name</th>
          <th class="resourceURLCell">Docs</th>
          <th class="resourceRemediationCell">Assistant Remediation</th>
        </tr>
        </thead>
        <tbody>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">Automatic mapping of service account</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
          <td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
        </tr>
        
        <tr>
          <td class="resourceSeverityCell">Medium</td>
          <td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
          <td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
          <td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
        </tr>
        
        </tbody>
      </table>
    </div>
    
  </body>
</html>
